Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

SAMATE Bibliography

[SAMATE Home | IntrO TO SAMATE | SARD | SATE | Bugs Framework | Publications | Tool Survey | Resources]

DISCLAIMER: Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology (NIST), nor does it imply that the products are necessarily the best available for the purpose.

By selecting almost any of these links, you will be leaving NIST webspace. We provide these links because they may have information of interest to you. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the assertions presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites.

We also keep a list of all SAMATE Publications and presentations.


Product Evaluation and Surveys
Technical Algorithm Papers
Specific Vulnerabilities
Other Papers


  • CAS Static Analysis Tool Study - Methodology, Center for Assured Software, National Security Agency, Dec 2012.
  • CAS Static Analysis Tool Study - Methodology, Center for Assured Software, National Security Agency, Dec 2011.
  • P. K. Manadhata, K. M. C. Tan, R. A. Maxion, and J. M. Wing, An Approach to Measuring a System's Attack Surface, Carnegie Mellon University, Technical Report CMU-CS-07-146, August 2007.
  • O. H. Alhazmi, Y. K. Malaiya and I. Ray, Security Vulnerabilities in Software Systems A Quantitative Perspective, Colorado State University, IFIP WG 11.3 Working Conference on Data and Applications Security, 2005, August 2005
  • Joe Schofield, The Statistically Unreliable Nature of Lines of Code, CrossTalk, 18(4):29-33, April 2005.
  • Brian Chess and Katrina Tsipenyuk, A Metric for Evaluating Static Analysis Tools, MetriCon 1.0, Vancouver, August 2006.

Product Evaluation and Surveys 

in reverse chronological order

  • Booz Allen Hamilton, Software Security Assessment Tools Review, March 2009.
  • Martin Johns, Scanstud - Evaluating static analysis tools, May 2008
  • R Krishnan, Margaret Nadworny, and Nishil Bharill, Static Analysis for Improving Secure Software Development at Motorola, November 2007
  • Redge Bartholomew, Evaluation of Static Source Code Analyzers for Real-Time Embedded Software Development, November 2007
    Available in Proc. Static Analysis Workshop II SASII, Ada Letters, April 2008.
  • Larry Suto, Analyzing the Effectiveness and Coverage of Web Application Security Scanners, October 2007
  • Justin Schuh, Code Scanners: False Sense of Security?, 16 April 2007
  • Peter A. Buxbaum, All for one, but not one for all, GCN, March 18, 2007
  • Jeff Forristal, Review: Source-Code Assessment Tools Kill Bugs Dead, Secure Enterprise Magazine, Dec. 2005.
  • Brian E. Burke, sponsored by Webroot, Securing Enterprise Environments Against Spyware : Benefits of Best-of-Breed Security, November 2005
  • Kendra Kratkiewicz, Evaluating Static Analysis Tools for Detecting Buffer Overflows in C Code, Master's thesis, Harvard University, Cambridge, MA, 2005, 285 pages.
  • Freeland Abbott and Joseph Saur, A Comparison of Code Checker Technologies for Software Vulnerability Evaluation, Code Checkers Project Evaluation Report, Joint Systems Integration Command, 25 April 2005
  • Misha Zitser, Richard Lippmann, and Tim Leek, Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code, Proc. FSE-12, ACM SIGSOFT, 2004. DOI 10.1145/1029894.1029911
  • Defense Information Systems Agency, Application Security Assessment Tool Market Survey, Version 3.0, July 29, 2004.
  • Nick Rutar, Christian B. Almazan, and Jeffrey S. Foster,  A Comparison of Bug Finding Tools for Java - The 15th IEEE International Symposium on Software Reliability Engineering (ISSRE'04). Saint-Malo, Bretagne, France. November 2004.

Technical Algorithm Papers 

alphabetical by author's last name

  • Sagar Chaki and Scott Hissam, Certifying the Absence of Buffer Overflows, Technical Note CMU/SEI-2006-TN-030, September 2006. 
  • Christoph Csaliner and Yannis Smaragdakis, Check 'n' Crash: Combining Static Checking and Testing, in Proceedings of 27th international conference on software engineering, May 15-21, 2005.
  • David Hovemeyer and William Pugh.  Finding Bugs is Easy, in SIGPLAN Notices (Proceedings of Onward! at OOPSLA 2004), December, 2004
  • Holger Peine, Rules of Thumb for Secure Software Engineering, in Proceedings of 27th International Conference on Software Engineering (ICSM), May 15-21, 2005.
  • Marco Pistoia, Satish Chandra, Stephen J. Fink, and Eran Yahaz, A survey of static analysis methods for identifying security vulnerabilities in software systems, IBM Systems Journal, 46(2):265-288, April-June 2007.
  • Donald J. Reifer, Protecting Yourself Against Malicious Code in COTS, Systems & Software Technology Conference, 18 - 21 April 2005, Salt Lake City, UT
  • Alexander Ivanov Sotirov, Automatic vulnerability detection static source code analysis, A Master's degree Thesis, 2005
  • David Wagner, Jeffrey Foster, Eric Brewer, Alexander Aiken, A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities, in Proceedings of the Network and Distributed Security Symposium, Feb. 2000. 

Specific Vulnerabilities 

Other Papers 


  • Secure Programming with Static Analysis, Brian Chess & Jacob West, Addison-Wesley - ISBN 0-321-42477-8
  • Security Metrics: Replacing Fear, Uncertainty, and Doubt, Andrew Jaquith, Addison-Wesley - ISBN 0-32-134998-9
  • IEEE 610.12-1990IEEE Standard Glossary of Software Engineering Terminology

  • Building Secure Software, John Viega & Gary McGraw, Addison-Wesley - ISBN 0-201-72152-X
  • Exploiting Software, How to Break Code, Greg Hoglund & Gary McGraw, Addison-Wesley - ISBN 0-201-78695-8
  • Secure Programming Cookbook for C and C++, John Viega & Matt Messier, O'Reilly - ISBN 0-59-600394-3
  • Buffer Overflow Attacks, Detect, Exploit, Prevent, James C. Foster, Vitaly Osipov, Nish Bhalla, Niels Heinen, SYNGRESS - ISBN 1-93-226667-4
  • Secure Coding in C and C++, Robert C. Seacord, Second Edition, Addison-Wesley, 2013. ISBN-13: 978-0-321-82213-0
  • Secure Coding - Principles and Practices, Mark G. Graff and Kenneth R. van Wyk, O'Reilly - ISBN 0-59-600242-4
  • 19 Deadly Sins of Software Security, Michael Howard, David LeBlanc, John Viega, McGraw-Hill Osborne Media - ISBN 0-07-226085-8
Created May 17, 2021